GDPR - Are You Ready?
Updated: Mar 22, 2018
May 25th 2018 is one of the most important dates on any marketer’s calendar. This is the date the new laws regarding data protection and usage comes into effect and, more worryingly for smaller businesses, the date where email marketing and the practices behind it changes forever.
Awareness of GDPR may be rising, but awareness of what it takes to be compliant is still seriously amiss, according to a new study which claims that only 2% of businesses which claim to have met their obligations under the data protection reforms have actually achieved the necessary standards.
According to the Veritas 2017 GDPR Report, which covers the UK, US, France, Germany, Australia, Singapore, and Japan, almost one-third (31%) of businesses believe that their company already conforms to the legislation's key requirements. However, when they were asked about specific GDPR provisions, a whopping 98% fell way short.
Companies must now focus on five high priority areas to ensure they won't be part of that 98%.
Determining exactly how GDPR affects them
Any organisation that decides on what personal data is processed, for what reason and by what means, is essentially a “data controller.” The GDPR applies not only to businesses in the EU, but also to all organisations outside the EU that are processing personal data for the offering of goods and services to the EU, or that are monitoring the behaviour of data subjects within the EU.
If any of these criteria are met, then these organisations should appoint a representative to act as a point of contact for the data protection authority (DPA) and data subjects. This leads onto the next priority for companies impacted by GDPR.
Appoint a data protection officer
When GDPR is introduced, a number of companies will have to employ a data protection officer. The role of a data protection officer is to oversee data protection strategy. They must also educate those within the company on what they must do in order to comply with requirements, provide staff involved in data processing with the necessary training, and perform privacy audits.
Operate transparently and demonstrate accountability
When processing data, companies should operate transparently and illustrate that they are accountable for their actions. An organisation cannot demonstrate accountability without proper data subject consent acquisition and registration. In the past, companies might have been able to get away with implied consent and pre-checked boxes, but this will no longer be the case. They will now have to introduce - if not in place already - measures that enable them to both obtain and record consent and the withdrawal of consent.
People must know exactly what they are agreeing to, so companies should be clear on what the data is and how and why it is processed.
Manage cross-border data flows correctly
Following residency requirements, data can be transferred to any of the 28 EU member states, along with EEA members Norway, Liechtenstein and Iceland. Data transfers can also be made to any of the 11 jurisdictions considered to have an adequate level of protection by the European Commissions. This is judged through an adequacy decision, which is a decision taken by the Commission establishing that a third country provides a proportional level of protection of personal data to that in the European Union, through its domestic law or its international commitments. When it comes to transfers that do not fall within these set areas, companies should ensure that they are using the appropriate precautions. Examples of such measures include Binding Corporate Rules (BCRs) and standard contractual clauses, i.e., “EU Model Contracts”.
Anticipating data subjects exercising their rights
The introduction of the GDPR creates new rights for individuals and also strengthens some of the existing rights. Some of the rights provided by the GDPR include the right to data portability, the right to be forgotten, and the right to be informed. The latter concerns incidents such as a data breach, or if data subjects wish to receive an explanation around machine learning systems’ automated decision making, for instance.
Ideally, businesses should already have measures and plans in place to deal with the European GDPR coming into effect. However, if a business is not prepared to suitably address data breaches and people exercising their rights, then it is imperative that they start implementing additional controls as soon as possible.
There have been many reasons given for the current malaise over GDPR implementation, from conflicting advice from the Information Commissioner's Office and confusion, to Brexit and sheer ignorance, but a worrying new factor has emerged - many marketers simply do not have the experience to deal with the changes.
We understand that these new regulations could require drastic changes to many SMEs marketing tactics and budgets, so here at Opt-In Service we want to help take the stress away from your marketing team by giving you all the GDPR facts.